The Censys research team has been closely monitoring the spread of ESXiArgs ransomware since it was first detected in early February. The team has used Censys internet scanning data to track infected hosts across countries, to monitor how the hacker group has since responded, and to develop a dashboard with Censys data that researchers can use to track the ransomware.
As ESXiArgs ransomware activity unfolded, the story and our team’s work on it gained press pickup across 20+ industry publications and counting. You can check out a roundup of top articles below.
ESXiArgs ransomware: A timeline of events
First, let’s revisit what’s happened since the discovery of the ESXiArgs ransomware.
1.A ransomware campaign targeting VMWare ESXi servers began in early February. Infections peaked on Feb. 3, at which time Censys observed 3,551 infected hosts.
2. Interestingly, the campaign presented ransom notes to the internet, making them visible to Censys’ passive scanners. We could also see that bitcoin wallet addresses were posted on the ransom pages, which allowed us to track payments.
3. We observed that France, the U.S., Germany, Canada, and other countries have seen attacks, with many occurring in France.
4. CISA then released a decryption tool; however, the hacker group responded by removing BTC addresses and encrypting additional data, making the existing decryption tools ineffective.
5. On February 11, the Censys team observed a burst of newly infected hosts, and discovered two hosts with very similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life.
6. The Censys team created a dashboard (using Censys data that’s updated every 24 hours) for researchers to track the spread of the campaign.
Find a full breakdown of our research team’s work in this Evolution of ESXiArgs Ransomware Censys blog post.
Bleeping Computer – Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
In this February 3 article, released on the day Censys observed peak ESXiArgs ransomware infections, Bleeping Computer reported on the active targeting of ESXi VMware servers. In updates to the article made on February 6, Bleeping Computer cites new data from Censys about infected servers: “…numbers quickly grew over the weekend, with 2,400 VMware ESXi devices worldwide currently detected as compromised in the ransomware campaign, according to a Censys search.”
Cyberscoop – Global ransomware spree infects unpatched VMWare servers. CISA has a (possible) fix.
Cyberscoop recounts how France’s CERT-FR first picked up ESXiArgs ransomware using Censys internet scan data and provides detail on how those impacted can use CISA’s ransomware recovery script on GitHub.
Reuters – No evidence global ransomware hack was by state entity, Italy says
Reuters cites data from Censys showing thousands of servers around the world affected by ESXiArgs ransomware, with the majority located in France, the U.S., and Germany. Reuters reports that Italy’s National Cybersecurity Agency does not believe that “a state or hostile state-like entity” is responsible, despite the global nature of the attack.
The Hacker News – ESXiArgs Ransomware Hits Over 500 New Targets in European Countries
On February 16, The Hacker News reported Censys’ finding that new targets in Europe had been hit by ESXiArgs ransomware. The article states that “The findings come from attack surface management firm Censys, which discovered ‘two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life.’” The Hacker News also includes statements from Censys Senior Security Researchers Mark Ellzey and Emily Austin.
TechTalk – Thousands of victims apparently hit by ESXiArgs ransomware
TechTalk spoke with Censys Senior Security Researcher Emily Austin about the wave of hosts infected by a new variant of the ESXiArgs ransomware. “’[Threat actors] likely followed updates from the security community and realized that researchers were tracking their payments, and may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent,’ Austin said.”
Equinix – LinkedIn Coverage from Head of Equinix Threat Analysis Center, Sean O’Conner
The Censys research team’s work on ESXiArgs ransomware caught the attention of Head of Equinix Threat Analysis Center Sean O’Conner. Sean shared out the Censys team’s interactive dashboard and noted the batch of newly-infected servers that had been picked up by Censys scanning.
Additional ESXiArgs ransomware press coverage includes: